← All articles

Signal phishing campaign impersonates Support to steal backup recovery keys from journalists and activists, enabling full message decryption

Security researchers are warning of a phishing campaign that impersonates Signal Support over text message to steal users' backup recovery keys, specifically targeting journalists and activists. Once an attacker obtains the recovery key, they can decrypt the victim's entire message-history backup. The campaign relies purely on social engineering - there is no flaw in Signal's cryptography - tricking targets into handing over the secret that protects their encrypted backups. The targeting of journalists and activists points to surveillance-motivated actors rather than financially-driven crime. Signal users should treat any unsolicited 'Support' contact requesting recovery keys or codes as hostile, since Signal never asks for them.

Check
Brief journalists, activists, and high-risk staff that Signal never requests backup recovery keys. Treat any 'Signal Support' text asking for keys or codes as a phishing attempt and report it.
Affected
Signal users - particularly journalists and activists targeted by surveillance-motivated actors. The attack is pure social engineering; Signal's encryption is not broken, but a handed-over recovery key decrypts all backups.
Fix
Never share Signal recovery keys or codes with anyone. Enable registration lock. For high-risk users, store recovery keys offline and verify any support contact through official Signal channels only.